Authority Threat Model (STRIDE)

Prepared by Security Guild — 2025-10-12. Scope covers Authority host, Standard plug-in, CLI, bootstrap workflow, and offline revocation distribution.

1. Scope & Method

  • Methodology: STRIDE applied to primary Authority surfaces (token issuance, bootstrap, revocation, operator tooling, plug-in extensibility).
  • Assets in scope: identity credentials, OAuth tokens (access/refresh), bootstrap invites, revocation manifests, signing keys, audit telemetry.
  • Out of scope: Third-party IdPs federated via OpenIddict (tracked separately in SEC6 backlog).

2. Assets & Entry Points

Asset / SurfaceDescriptionPrimary Actors
Token issuance APIs (/token, /authorize)OAuth/OIDC endpoints mediated by OpenIddictCLI, UI, automation agents
Bootstrap channelInitial admin invite + bootstrap CLI workflowPlatform operators
Revocation bundleOffline JSON + detached JWS consumed by agentsConcelier, Agents, Zastava
Plug-in manifestsStandard plug-in configuration and password policy overridesOperators, DevOps
Signing keysES256 signing keys backing tokens and revocation manifestsSecurity Guild, HSM/KeyOps
Audit telemetryStructured login/audit stream persisted to Mongo/observability stackSOC, SecOps

3. Trust Boundaries

BoundaryRationaleControls
TB1 — Public network ↔️ Authority ingressInternet/extranet exposure for /token, /authorize, /bootstrapTLS 1.3, reverse proxy ACLs, rate limiting (SEC3.A / CORE8.RL)
TB2 — Authority host ↔️ Mongo storageCredential store, revocation state, audit log persistenceAuthenticated Mongo, network segmentation, deterministic serializers
TB3 — Authority host ↔️ Plug-in sandboxPlug-ins may override password policy and bootstrap flowsCode signing, manifest validation, restart-time loading only
TB4 — Operator workstation ↔️ CLICLI holds bootstrap secrets and revocation bundlesOS keychain storage, MFA on workstations, offline kit checksum
TB5 — Authority ↔️ Downstream agentsRevocation bundle consumption, token validationMutual TLS (planned), detached JWS signatures, bundle freshness checks

4. Data Flow Diagrams

4.1 Runtime token issuance

flowchart LR
    subgraph Client Tier
        CLI[StellaOps CLI]
        UI[UI / Automation]
    end
    subgraph Perimeter
        RP[Reverse Proxy / WAF]
    end
    subgraph Authority
        AUTH[Authority Host]
        PLGIN[Standard Plug-in]
        STORE[(Mongo Credential Store)]
    end
    CLI -->|OAuth password / client creds| RP --> AUTH
    UI -->|OAuth flows| RP
    AUTH -->|PasswordHashOptions + Secrets| PLGIN
    AUTH -->|Verify / Persist hashes| STORE
    STORE -->|Rehash needed| AUTH
    AUTH -->|Access / refresh token| RP --> Client Tier

4.2 Bootstrap & revocation

flowchart LR
    subgraph Operator
        OPS[Operator Workstation]
    end
    subgraph Authority
        AUTH[Authority Host]
        STORE[(Mongo)]
    end
    subgraph Distribution
        OFFKIT[Offline Kit Bundle]
        AGENT[Authorized Agent / Concelier]
    end
    OPS -->|Bootstrap CLI (`stellaops auth bootstrap`)| AUTH
    AUTH -->|One-time invite + Argon2 hash| STORE
    AUTH -->|Revocation export (`stellaops auth revoke export`)| OFFKIT
    OFFKIT -->|Signed JSON + .jws| AGENT
    AGENT -->|Revocation ACK / telemetry| AUTH

5. STRIDE Analysis

ThreatSTRIDE VectorSurfaceRisk (L×I)Existing ControlsGaps / ActionsOwner
Spoofed revocation bundleSpoofingTB5 — Authority ↔️ AgentsMed×HighDetached JWS signature (planned), offline kit checksumsFinalise signing key registry & verification script (SEC4.B/SEC4.HOST); add bundle freshness requirementSecurity Guild (follow-up: SEC5.B)
Parameter tampering on /tokenTamperingTB1 — Public ingressMed×HighASP.NET model validation, OpenIddict, rate limiter (CORE8.RL)Tampered requests emit authority.token.tamper audit events (request.tampered, unexpected parameter names) correlating with /token outcomes (SEC5.C)Security Guild + Authority Core (follow-up: SEC5.C)
Bootstrap invite replayRepudiationTB4 — Operator CLI ↔️ AuthorityLow×HighOne-time bootstrap tokens, Argon2id hashing on creationInvites expire automatically and emit audit events on consumption/expiration (SEC5.D)Security Guild
Token replay by stolen agentInformation DisclosureTB5Med×HighSigned revocation bundles, device fingerprint heuristics, optional mTLSMonitor revocation acknowledgement latency via Zastava and tune replay alerting thresholdsSecurity Guild + Zastava (follow-up: SEC5.E)
Privilege escalation via plug-in overrideElevation of PrivilegeTB3 — Plug-in sandboxMed×HighSigned plug-ins, restart-only loading, configuration validationAdd static analysis on manifest overrides + runtime warning when policy weaker than hostSecurity Guild + DevOps (follow-up: SEC5.F)
Offline bundle tamperingTamperingDistributionLow×HighSHA256 manifest, signed bundles (planned)Add supply-chain attestation for Offline Kit, publish verification CLI in docsSecurity Guild + Ops (follow-up: SEC5.G)
Failure to log denied tokensRepudiationTB2 — Authority ↔️ MongoMed×MedSerilog structured events (partial), Mongo persistence path (planned), Standard plug-in credential telemetry (authority.plugin.standard.password_verification)Finalise audit schema (SEC2.A), require the same audit contract for third-party plug-ins, and ensure /token denies include subject/client/IP fieldsSecurity Guild + Authority Core (follow-up: SEC5.H)

Risk scoring uses qualitative scale (Low/Med/High) for likelihood × impact; mitigation priority follows High > Med > Low.

6. Follow-up Backlog Hooks

Backlog IDLinked ThreatSummaryTarget Owners
SEC5.PLGTB3 — Plug-in sandboxStandard plug-in mitigations documented: Argon2 bootstrap enforcement, password-policy warnings, and credential audit telemetry (plugin.retry_after_seconds, plugin.lockout_until) wired into SOC pipelines.Security Guild + BE-Auth Plugin
SEC5.BSpoofed revocation bundleComplete libsodium/Core signing integration and ship revocation verification script.Security Guild + Authority Core
SEC5.CParameter tampering on /tokenFinalise audit contract (SEC2.A) and add request tamper logging.Security Guild + Authority Core
SEC5.DBootstrap invite replayImplement expiry enforcement + audit coverage for unused bootstrap invites.Security Guild
SEC5.EToken replay by stolen agentCoordinate Zastava alerting with the new device fingerprint heuristics and surface stale revocation acknowledgements.Security Guild + Zastava
SEC5.FPlug-in override escalationStatic analysis of plug-in manifests; warn on weaker password policy overrides.Security Guild + DevOps
SEC5.GOffline bundle tamperingExtend Offline Kit build to include attested manifest + verification CLI sample.Security Guild + Ops
SEC5.HFailure to log denied tokensEnsure audit persistence for all /token denials with correlation IDs.Security Guild + Authority Core

Update src/__Libraries/StellaOps.Cryptography/TASKS.md (Security Guild board) with the above backlog entries to satisfy SEC5.A exit criteria.

5.1 Plugin telemetry status (SEC5.PLG — 2025-11-09)

  • Standard plug-in password verification now emits authority.plugin.standard.password_verification with caller correlation IDs, client metadata, tenant IDs, and full network context sourced from AuthorityCredentialAuditContext. Events classify outcomes via the extended AuthEventOutcome set (LockedOut, RequiresFreshAuth, RequiresMfa) so SOC tooling can distinguish lockouts from MFA prompts.
  • Audit properties were standardised: plugin.failed_attempts, plugin.lockout_until, plugin.retry_after_seconds, plugin.rehashed, and plugin.failure_code are present on both the plug-in event and the host-level /token record. plugin.retry_after_seconds is derived deterministically from the retry window, ensuring consistent rate-limit responses for air-gapped tenants.
  • Bootstrap mitigations were documented in docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md: Argon2id hashing, enforced password policies, default RequirePasswordReset, and registrar warnings when an operator weakens the baseline policy. These measures close the SEC5.PLG action item and provide auditors with evidence hooks for Offline Kit reviews.